[Startmail.org promises snoop-free messaging — “StartMail lets you take back your right to communicate privately,” its website says. Reagan.com makes a similar offer: “Unlike some of the largest email service providers like Google, Yahoo, AOL, and Hotmail, @Reagan.com will not copy, scan, or sell a single word of your email content. Your ‘private’ email will stay ‘private.’”
But these services and others rely on policy, not technical architecture to keep snoops away, says John Kozlowski, a Chattanooga-area programmer. Mr. Kozlowski is near completing the Matryoshka secure email system. Based on his ShofarNexus software, the system promises to let security expand to voice communications too. The matryoshka is a nesting doll first carved in Russia in 1890 as an art object. Matryoshka intends to defeat not just content surveillance, but metadata spying, Mr. Kozlowski says.
You should care about telecom privacy not because you are bad, but because you are good. You have an SSN that needs to be kept private. You have bank account and tax information for your eyes only. You have personal communications, health information, drug use details, family histories regarding child care that are personal. You have educational material, political and religious ideas and personal info that are no one else’s business. Your data trove is kept under wraps as a matter of innocent self-interest, not guilt. You deserve privacy just as you deserve any other lawful property right.
Mr. Kozlowski explains why Matryoshka, shortly ready for market, is important by telling how the world’s most anonymous and secure cyber-territory, TOR, or The Onion Router, is a trap. Matryoshka will be freeware. Mr. Kozlowski is looking for people who would like to be resellers of a system that will next include telephones. Mr. Kozlowski’s website is Shofarnexus.com. I have an interest in this project, and invite your involvement.— DJT]
By John Kozlowski
It is a Web nostrum that no one on the Internet is secure. Support for this idea increases whenever a malefactor is caught or a bug is found in software or an algorithm.
Many suppose that security is to be found in using TOR. New analyses about The Onion Router is stoking controversy supporting the idea that security is impossible, a phantasm existing only in theory.
Let’s look at TOR to see if it is a trap, designed by the U.S. government to draw privacy-oriented traffic for the benefit of Uncle Sam and his allies. If TOR is limited or flawed, do those flaws serve policy and deep state interests? Does understanding them enable developers such as me to design a system that eliminates them?
The basic concepts like the public key cryptography are sound and can be relied on. Implementations are sometimes flawed, such as the breaking of the MD5 hash algorithm. However, even with that, 99.999% of the uses of MD5 are safe. Most slipups are goofily human, from passwords on a Post-It note below the keyboard to viruses that fool people into granting access.
Since 2011 I have been working on technology to secure the Web that I call Matryoshka. Just as the onion is a good analogy of how TOR functions, my project replicates the nestling egg-shaped dolls that drew the admiration of Russia’s czars and aristocrats. Matryoshka and Onion Routing are almost identical. Having worked since the 1970s in communications and cryptography, it’s not hard to see the strengths of TOR — nor its seeming looseness.
Traffic analysis
My first goal with Matryoshka is to plug the hole of traffic analysis that TOR leaves open. By several means even the most cautious and secretive users of the Web (dissidents, missionaries in dangerous habitats, inventors, businessmen) have their messages tracked. Metadata includes not only IP addresses, but locations, time, and very importantly message length.
If you are observing messages going between Alice and Bob, but have no idea about the content because of encryption, you can still determine a lot. A 140-byte message could be a tweet. A 5K-byte memo is an email. Three megabytes could be a MP3 song.
How to hide data from which such presumptions arise? Alice will send Bob a continuous stream of fixed length messages. Since they are encrypted, the content is secure. Since they are continuous, observers have no idea when one is real or when it is simply random garbage. Since packets are the same size, observers have no idea what kind of content is being sent. Continuously streaming packets are a simple and complete solution for traffic analysis — nothing new. TOR lets its operators capture metadata. Metadata is the gap in TOR’s armor.
Onion routing or the Matryoshka model
What about sender and receiver? TOR and Matryoshka rely on multiple levels of encryption. Alice’s computer encrypts the message for Bob, then re-encrypts the message for a computer before Bob, and does this action repeatedly for numerous computers — and finally sends the message. Each computer on the route decrypts the message one layer and sends it on until Bob finally gets the message. In TOR, this process is peeling the onion. In Matryoshka, its removing outer dolls to reveal ever smaller inner ones.
While there are numerous other details, with this general idea any given computer on the route will not know where the message originated from or where the final destination is. Therefore, even if a nefarious party is running one or more of these computers, it cannot tell anything about the traffic, nor can its people inject anything into it.
It should be noted that many forms of encryption can be broken with enough computing power. However, snooping succeeds when the surveillance party has some idea of what valid decrypted data looks like. When you decrypt one layer to yield just a lower layer of encrypted data, you have no indication that you have the correct results. The process of breaking an encryption key becomes vastly more difficult. Somewhat akin to an unaided man throwing a rock and hitting Mars.
The origin of the TOR Project
Let’s say you are an intelligence asset in a foreign country and need to communicate with handlers in the United States. Picking up a phone and calling is not a good idea. Email is worse. You need to have a way to communicate that will not draw any attention to you. This scenario is real and is the reason the TOR Project exists.
It is well documented and not denied how the U.S. Intelligence Community, spearheaded by the U.S. Navy, funded and built the TOR Project with the purpose of hiding communications for intelligence assets. It was clear at the outset that if their agents were the only ones using the technology, they would stand out as much as communication insecurely. They decided to make the project open and free so that anyone could use it, but they would fund it and they still do.
TOR has been used by millions around the world to hide traffic that ranges from innocuous to abhorrent. Mixed in those shopping list reminders, searches for a new job, study of an issues that may be politically incorrect, or even political dissent, are those intelligence assets reporting home as well as the vilest of the vile doing vile things.
Being able to privately tell you wife that you love her is a good thing and we don’t ban the technology allowing it, even though the same technology allows for an adulterer to chat with a mistress.
Monopolistic practices
The United States has many laws to prohibit monopolistic practices. Antitrust statutes, as they are called, prevent situations like a two well-funded apple growers colluding to undercut the price of a third to drive him out of business. We see this practice happening constantly on the Internet without restraint. The obvious example is free email services. These services are not free to the provider, but make it difficult for competitors who charge for their services.
Apply this collusion model to TOR. How do you compete with a free service? We don’t question why it is free, we just use it because it is free. TOR has garnered a vast market, but receives no profit from it. Or perhaps they do?
Continuing with the email example, Gmail appears free to the user, but in reality the user is the product. Google uses your information to essentially sell you to advertisers and others. Remember, it walks away with about $2 billion per month in advertising profits. This is not gross but profit alone. Its product is you. Its perceived benevolence comes from selling you. Gmail users are willing victims since the service is free and appears benign.
Google makes you feel secure that by using a secure connection (https) to your Gmail account. A secure server reduces the risk of a third party seeing the content of the traffic between you and Google, but it is Google who is the reader, tracker and exploiter of your email. You are handing it all content and metadata. What have you gained with a secure link besides a warm, fuzzy feeling and perhaps a need to be careful what you say?
TOR’s operation is similar. Its users, too, feel secure. They are secure to all but the provider of the service.
The hole in TOR
Unlike the Matryoshka Model, TOR exposes packet length to observers of end points. Consider this surveillance on a small scale. If you have the ability to see the data from a dozen computers, you could determine when one computer is sending to another even though you cannot get the data because of encryption. If you see a 456 byte message sent from computer A and a moment later the same or similar size message arrive at computer B you draw an obvious conclusion linking the two.
It is a much bigger task to be able to observe traffic from millions upon millions of computers around the world at the same time. Who would have the ability to do that? The answer is Five Eyes, the five nations that are part of the UKUSA Agreement formed during World War II. These are the same that fund the TOR Project.
The combined power of the Government Communications Headquarters (GCHQ), the National Security Agency (NSA), the Australian Signals Directorate (ASD), the Communications Security Establishment Canada (CSEC), and the Government Communications Security Bureau (GCSB) of New Zealand is sufficient to determine who is communicating with whom all the time and from any point on the globe.
Was TOR designed to be confidently and boldly used by all parties in whom the state security apparatus might take a special interest?
TOR’s hole is that metadata is not secure. Cause for misgivings? Matryoshka plugs that hole first. TOR invites free non-government users so its own assets remain hidden in the crowd. But it retains, I suspect, power to surveil the users by vast computing power, something lesser states might not have.
To play the role of the world hegemon, the U.S. and its agents might publically, repeatedly, and honestly state how their best efforts can’t defeat layered encryption methods used in TOR. Maverick and secretive users are lulled into a feeling of confidence that they have defeated the all-powerful NSA. Encryption, perhaps, gets the best of NSA’s routine snooping. But metadata gathering of all end points is within its power, leaving TOR users vulnerable by obliquer methods of spying.
When the U.S. deep state is tracking Party A and wants to know with whom it is communicating, it uses traffic analysis of all of the computers on the Web to connect that user to Party B. Once the interested parties are identified other techniques can be used to gain access to content, including invasive software or insertion of hardware such as the ANT Product Data catalog.
Things to consider
The TOR Project provides a worthy service, just as Gmail does. The proponents of the TOR Project articulate well the issues involved in security and offer great solutions for those issues, just like Gmail does. But TOR seems to adeptly ignore a fundamental matter just as Gmail does. TOR violates the spirit if not the letter of antitrust laws, just as Gmail does.
If a man offers you, a boy, a lollypop to get into his car, do you go?